CVE-2026-50135
Hugo: Symlink confinement bypass in resources.Get
CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
28th
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
| CWE | CWE-59 |
| Vendor | gohugoio |
| Product | hugo |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for gohugoio hugo
Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
gohugoio / hugo
>= 0.123.0, < 0.162.0